• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 773
  • Last Modified:

DHCP & DNS sometimes unable to open AD to consult directory

Hi all,

THIS IS AN EMERGENCY, my customer is not far to kill me...

I have migrate a W2003 AD to a W2k8 standart one. (IP: 192.1.1.15), all by the normal process.

The domain is only a 3 caracters one (ABC)

Since that time, DHCP & DNS SOMETIMES cannot reach the AD and people cannot log etc. etc.

And about thirty people cannot work!

This server is the only one in the structure and it is the master of schematic and all.

Also after a reboot, from that server I can reach the internet, after few times, internet doesnot work anymore.

But for all the client it works with the adress 192.1.1.15 of this server as the only one DNS server of the company.


With a nslookup check my server is normaly recognized, the only warning i have is for IPV6  which is disabled on the NIC.

When I use the builtin Analyis tool, I get the 2 following errors (french translation):

1 ) The DNS server 192.1.1.15 has not been able to resolve the name of the name source record (SOA) of the zone hosting the domain name racine of forest of the computer.

2 ) The DNS server 192.1.1.15 has not been able to resolve the name of the name source record (SOA) of the zone hosting the main DNS domain name of the computer.

I have deleted & rebuild my DNS server without success!

Thre is only one adress configured (192.1.1.15) as a DNS ( FAIs are located as redirectors)

On the domain controler with the anysis tool i got the following error:

This domain controller must write its DNS host ressources records (A or AAA) for the domain.

But when I check the DNS there present (I believe)

Following the non translated error:
Ce contrôleur de domaine doit inscrire ses enregistrements de ressource d’hôte DNS (A ou AAAA) pour le domaine.

Gravité :
Erreur

Date :
29/04/2011 19:37:24

Catégorie :
Configuration

Problème :
Les enregistrements de ressource DNS (A/AAAA) « LdapIpAddress », qui publient ce contrôleur de domaine en tant que serveur LDAP disponible dans le domaine et qui pointent vers ses adresses IPv4 ou IPv6, ne sont pas inscrits. Tous les contrôleurs de domaine accessibles en écriture dans le domaine (mais pas les contrôleurs de domaine en lecture seule) doivent inscrire cet enregistrement.

Impact :
Les autres ordinateurs membres et contrôleurs de domaine dans le domaine ou la forêt ne pourront pas localiser ce contrôleur de domaine en tant que serveur LDAP (Lightweight Directory Access Protocol) accessible en écriture. Ce contrôleur de domaine ne pourra pas fournir un ensemble complet de services.

Résolution :
Assurez-vous que « LdapIpAddress » n’est pas configuré dans la liste « DnsAvoidRegisteredRecords », soit par le biais de la stratégie de groupe soit par le biais du Registre. Redémarrez le service Netlogon. Vérifiez que les enregistrements de ressource d’hôte (A/AAAA) « PVI », qui pointent vers les adresses IP de l’ordinateur local, sont inscrits dans DNS.

Plus d’informations sur cette meilleure pratique et procédures de résolution détaillées : http://go.microsoft.com/fwlink/?LinkId=126970

I have check in the registry and the « DnsAvoidRegisteredRecords » is purely and simply not present!
For info I have no group policies.

Thank to illuminate my mind which start to be in the fog.
0
FastTurtle
Asked:
FastTurtle
  • 7
  • 3
1 Solution
 
FemSteenkampCommented:
Hi

make sure that the DC points to itself as a DNS server only.

i presume when you look at teh DNS, the dpomain controlelr is unable to register itself in the DNS domain, which i presume is AD integrated?

sometimes during the upgrade the security of the integrated DNS is not set up/copied correctly.  to identify if this is the problem. you can convert domain name ( waht is your FQDN name of teh domain ??) from ad integrated to a file version ( untick teh textbox thst says to store in AD) and allow unsedure updates.  make sure that the _msdcs.(your domain FQDN) is also changed

after a reboot the DC shouls register the needed DNS records.
0
 
FastTurtleAuthor Commented:
Hi Fern,
Thanks for your quick reply
You presume correctly., it seems to correpond to the errors  I have send in my request

The FQDN name of the domain is only: PVI

Can you indicate me the way to convert domain name to a text file from ad integrated to a file version?, what does it means?  I have see that I can load zones from a file in the adanced TAB in my DNS server property.

Thanks
0
 
FemSteenkampCommented:
launch the DNS snapin on the DC
expand teh "forward lookup zones"
 you should see your PVI domain listed there
right click and select properties
on the general tab, under type: click change button ( I am presuming that it will sya active directory integrated at teh moment ???)
at teh botom of teh popup screen there should be checkbox that says " store zone in active diretory"
uncheck this. click OK, and OK again

exit the mmc and reboot teh domain controller
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
FastTurtleAuthor Commented:
The server is in production

Is it the only thing to do? or do i have to execute the other instruction to (allow unsecure updates) etc.?

Can I make it right now without risk or is it recommended to wait for this evening?
0
 
FastTurtleAuthor Commented:
Hi FemSteenkamp,

I have apllied the modifications you suggest to me; lets see from now till monday what happens.

I ll keep ypu informed; for your information the only things I continue to have is that error after analysis:

This domain controller must write its DNS host ressources records (A or AAA) for the domain

otherwise At THAT MOMENT the IE of the server is working correctly.
0
 
FastTurtleAuthor Commented:
Hi,

Now the server after 24 hours is still able to go to internet but it seems only on its home page (google) and able to research normaly from it.

Once we want to access any search result it seems that we have no access to these sites (maybe it is very very long and i have to wait a lot). Anyway this not normal.

0
 
FemSteenkampCommented:
hi

can the people now at least log in to the domain?
0
 
FastTurtleAuthor Commented:
Yes,

Like before, the problem that was SOMETIMES they could not ( at taht moment the errors messages was for DHCP & DNS (unable to open AD).

I have just check for access to web sites with IE9 and AGAIN it can't reach any site anymore!
Also I still have the following errors after running the buitin analysis best practice tool for the DC

This domain controller must write its DNS host ressources records (A or AAA) for the domain.

And for the DNS the 3 following errors:

1) This DNS server must include a loop adresse which is not the first one...
2 ) The DNS server 192.1.1.15 has not been able to resolve the name of the name source record (SOA) of the zone hosting the domain name racine of forest of the computer.
3 ) The DNS server 192.1.1.15 has not been able to resolve the name of the name source record (SOA) of the zone hosting the main DNS domain name of the computer.

So i start to become crazy

Thanks for your support and any suggestions
0
 
FastTurtleAuthor Commented:
Also,

This server is also a file server and a print server
0
 
FastTurtleAuthor Commented:
Quick reply & very accurate

Thanks again
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now